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ABSTRACT 

We show that deciding whether a sparse univariate poly- 
nomial has a p-adic rational root can be done in NP for 
most inputs. We also prove a polynomial-time upper bound 
for trinomials with suitably generic p-adic Newton polygon. 
We thus improve the best previous complexity upper bound 
of EXPTIME. We also prove an unconditional complex- 
ity lower bound of NP-hardness with respect to randomized 
reductions for general univariate polynomials. The best pre- 
vious lower bound assumed an unproved hypothesis on the 
distribution of primes in arithmetic progression. We also 
discuss how our results complement analogous results over 
the real numbers. 

1. INTRODUCTION 

The fields K and Q p (the reals and the p-adic rationals) 
bear more in common than just completeness with respect 
to a metric: increasingly, complexity results for one field 
have inspired and motivated analogous results in the other 
(see, e.g., [Coh69l IDvdD88] and the pair of works |Kho91| 
and |Roj04| ). We continue this theme by transposing re- 
cent algorithmic results for sparse polynomials over the real 
numbers BRS09 to the p-adic rationals, sharpening the un- 
derlying complexity bounds along the way (see Theorem 1 1.41 
below). 

More precisely, for any commutative ring R with multi- 
plicative identity, we let FEAS_r - the i?-feasibility 
problem (a.k.a. Hilbert's Tenth Problem over R |DLPvG00| ) 
— denote the problem of deciding whether an input poly- 
nomial system F^[J k ngN (Z[xi, . . . ,x n ]) k has a root in R n . 
(The underlying input size is clarified in Definition 1 1 . 1 1 be- 
low.) Observe that FEAS^, FEASq, and {FEAS F? } 9 a prime power 
are central problems respectively in algorithmic real alge- 
braic geometry, algorithmic number theory, and cryptogra- 
phy. 
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In particular, for any prime p and x £ Z, recall that the 
p-adic valuation, ord p :r, is the greatest k such that p k \x. 
We can extend ord p (-) to Q by ord p (f ) : = ord p (a) — ord p (6) 
for any a, b£ Z; and we let \x\ p ; — p~° vd P x denote the p-adic 
norm. The norm | • \ p defines a natural metric satisfying 
the ultrametric inequality and Q p is, to put it tersely, the 
completion of Q with respect to this metric. This metric, 
along with ord p (-), extends naturally to the p-adic com- 
plex numbers C p , which is the metric completion of the 
algebraic closure of Q p [RobOOl Ch. 3] . 

We will also need to recall the following containments of 
complexity classes: P C ZPP C NP C • • • C EXPTIME, 
and the fact that the properness of every inclusion above 
(save P EXPTIME) is a major open problem |BM88I 
|Pap95| . The definit ions of the aforementioned complexity 
classes are reviewed briefly in the Appendix (see also |Pap95| 
for an excellent textbook treatment). 

1.1 The Ultrametric Side: Relevance and 
Results 

Algorithmic results over the p-adics are central in many 
computational areas: polynomial time factoring algorithms 
overQ[ii] |LLL82| . computational complexity |Roj02| , study- 
ing prime ideals in number fields |Coh94[ Ch. 4 & 6], elliptic 
curve cryptography |Lau04| . and the computation of zeta 
functions CD V06 . Also, much work has gone into using 
p-adic methods to algorithmically detect rational points on 
algebraic plane curves via variations of the Hasse Prin- 
cipldZI (see, e.g., |C-T98I IPooOlbl IPoo06p . However, our 
knowledge of the complexity of deciding the existence of so- 
lutions for sparse polynomial equations over Q p is surpris- 
ingly coarse: good bounds for the number of solutions over 
Q p in one variable weren't even known until the late 1990s 
|Len99b| . So we focus on precise complexity bounds for one 
variable. 

Definition 1.1. Let f(x) := J27Li c^" 1 e Z[xi,...,x n ] 
where x a * := x J 1 * • • • Xn ni , Cj 7^ for all i, and the at are pair- 
wise distinct. We call such an f an n-variate m-nomial. 
Let us also define 

size(/) ~YZ 1 1°S2 [(2 + M)(2 + lar.il) • ■ • (2 + \a n ,i\)] 
and, for any F := (fi,...,fh) G (Z[xi, . . . ,x„]) k , we 

1 If F(xi , . . . , x n ) — is any polynomial equation and Zk is 
its zero set in K n , then the Hasse Principle is the assumption 
that [Zc smooth, Zr 7^ 0, and Zq p 7^ for all primes p] implies 
Zq 7^ as well. The Hasse Principle is a theorem when Zc 
is a quadric hypersurface or a curve of genus zero, but fails 
in subtle ways already for curves of genus one (see, e.g., 
[PooOla] ). 



define size(F) :=X/;=i s i ze (/0- Finally, we let T n .m denote 
the subset of Z[xi, . . . , x n ] consisting of polynomials with 
exactly m monomial terms © 

For instance, size(l + cxf + xf ) = 0(log(c) + log(d)). So 
the degree, deg /, of a polynomial / can sometimes be expo- 
nential in its size. Note also that Ii[xi] is the disjoint union 
Um>0 •Fi, m - 

Definition 1.2. Let FEAS(j primca denote the problem of 
deciding, for an input polynomial system F 
G Ufe tignCT^ 1 ' • • ■ i x "\) k an d an input prime p, whether F 
has a root inQ p . Also let PcN denote the set of primes and, 
whenX is a family of such pairs (F,p), we let FEASQ primea (X) 
denote the restriction of FEAS<j primca to inputs ml The un- 
derlying input sizes for FEASq rimoa and FEASq rimoa (X) shall 
be size p (F) := size(F) + logp (cf. Definition al. Finally, 
let (Z x (N U {0}))°° denote the set of all infinite sequences 
of pairs ((ci, ai))°l 1 with Ci~ ai = for i sufficiently large. 
© 

Remark 1.3. Note that Z[xi] admits a natural embedding 
into (Z x (N U {0}))°° by considering coefficient-exponent 
pairs in order of increasing exponents, e.g., a+6o; 99 +a; 2001 h-> 
((a, 0), (6, 99), (1,2001), (0,0), (0,0),...). © 

While there are now randomized algorithms for factoring 
/€Z[a;i] over Q p [a;i] with expected complexity polynomial 
in size p (/) + deg(/) CGOO] (see also [Chi9 l ). no such algo- 
rithms are known to have complexity polynomial in size p (/) 
alone. Our main theorem below shows that such algorithms 
are hard to find because their existence is essentially equiv- 
alent to the P = NP problem. Moreover, we obtain new 
sub-cases of FEASQ primcs (Z[xi] x P) lying in P. 

Theorem 1.4. 

1. FEAS<2 prilnes (J-i,k XP)6P for ke {0,1,2}. 

2. For any f(xi) =C\ + c^x® 2 + C3X® 3 G Z[xi] with the points 
{(0, ordp(ci)), (02, ord p (c2)), (03, ord p (c3))} non-collinear, 
and p not dividing 02, as, or 03 — 02, we can decide the 
existence of a root in Q p for f in P. 

3. There is a countable union of algebraic hypersurfaces 
E C Z[ii] x P, with natural density 0, such that 
FEASQ primos ((Z[:Ei] x P) \E)eNP. Furthermore, we can 
decide in P whether an /G J-1,3 also lies in E. 

4. 7/FEASQ primos (Z[xi] x P)gZPP then NPCZPP. 

5. If the Wagstaff Conjecture is true, then FEASQ primca (Z[a:i]) 
GP P = NP, i.e., we can strengthen Assertion (4) 
above. 

Remark 1.5. The Wagstaff Conjecture, dating back to 
1979 (see, e.g., fBEM Conj. 8.5.10, pg. 224]), is the 
assertion that the least prime congruent to k mod N is 
0(ip(N) log 2 N), where ip(N) is the number of integers in 
{1, . . . ,N} relatively prime to N. Such a bound is signifi- 
cantly stronger than the known implications of the Gener- 
alized Riemann Hypothesis (GRH). © 

While the real analogue of Assertion (1) is known (and 
easy), the stronger real analogue FEASn(J r i.3) £ P to Asser- 
tion (2) was unknown until [BRS09I Thm. 1.3]. We hope 
to strengthen Assertion (2) to FEASQ primoa (Ji,3 x P) G P in 
future work. In fact, we can attain polynomial complexity 
already for more inputs in J-1,3 x P than stated above, and 
this is clarified in Section [3] 



Note that Q p is uncountable and thus, unlike FEASf p , 
FEASq p does not admit an obvious succinct certificate. In- 
deed, while it has been known since the late 1990's that 
FEASQ pri mea e EXPTIME relative to our notion of input size 
[MW96 MW97 , we are unaware of any earlier algorithms 
yielding FEASQ primca (Z[xi, . . . , x n ] x P) G NP for any fixed n: 

even FEASo primoa (Ti, 4 x P)eNP and FEAS R (J"i, 4 )€NP arc 
open questions^ Practically speaking, zero density means 
that under most reasonable input restrictions, the algorith- 
mic speed-up in Assertion (3) is valid over a significantly 
large fraction of inputs. 

Example 1.6. Let T denote the family of pairs (f,p) G 
Z[xi] x P with f(xi) = a + bxl 1 + cx\ 7 + xf- and let T* := 
T \ E. Then there is a sparse 61 x 61 structured matrix S 
(cf. Lemma \2. 61 in Section \2. 'A below), whose entries lie in 
{0, 1, 31, a, b, 116, c, 17c}, such that (/,p)GT* <S=> p/detS. 
So by Theorem fT^l FEAS Qprimca (T*) G NP, and Corollary 
\2.10\ in Section [3 below tells us that for large coefficients, 
T* occupies almost all of T . In particular, letting T(H) 
(resp. T*(H)) denote those pairs {f,p) in T (resp. T* ) with 

\a\, \b\,\c\,P<H, we have ^§ > (l - §) (l - 311 °^ 124H) ) . 
For instance, one can check via Maple that 

(-973 + 21a;i 1 - 2x\ 7 + xf 1 , p) G T* 
for all but 352 primes p. o 

The exceptions in Assertion (3) appear to be due to the 
presence of ill-conditioned polynomials: / having a root £ 
with the (p-adic) norm of /'(C) very small — a phenomenon 
of approximation present in complete fields like R, C, and 
Q p . Curiously, the real analogue of Assertion (3) remains 
unknown [BRS091 Sec. 1.2]. 

As for lower bounds, while it is not hard to show that 
the full problem FEASQ primca is NP-hard from scratch, the 
least n making FEASQ primoa (Z[xi, . . . ,x„] x P) NP-hard ap- 
pears not to have been known unconditionally. In particu- 
lar, a weaker version of Assertion (4) was found recently, but 
only under the truth of an unproved hypothesis on the dis- 
tribution of primes in arithmetic progresion Roj07a, Main 
Thm.]. Assertion (4) thus also provides an interesting con- 
trast to earlier work of H. W. Lenstra, Jr. Len99a , who 
showed that one can actually find all low degree factors of 
a sparse polynomial (over Q[xi] as opposed to Q p [a;i]) in 
polynomial time. 

1.2 Random Primes and Tropical Tricks 

The key to proving our lower bound results (Assertions 
(4) and (5) of Theorem 1 1.4|) is an efficient reduction from a 
problem discovered to be NP-hard by David Alan Plaisted: 
deciding whether a sparse univariate polynomial vanishes 
at a complex D— root of unity |Pla84l |Roj07b| . Reducing 
from this problem to its analogue over Q p is straightforward, 
provided Q* contains a cyclic subgroup of order D where D 
has sufficiently many distinct prime divisors. We thus need 
to consider the factorization of p~ 1, which in turn leads us 
to primes congruent to 1 modulo certain integers. 

While efficiently constructing random primes in arbitrary 
arithmetic progressions remains a famous open problem, we 
can now at least efficiently build random primes p such that 

2 An earlier result claiming FEASQ primca (Z[x{\ x P) G NP for 
"most" inputs |Roj07a[ Main Thm.] appears to have fatal 
errors in its proof. 



p is moderately sized but p — 1 has many prime factors. We 
use the notation [j] :={1, • ■ • , j} for any j £N. 

Theorem 1.7. For any 8 > 0, a failure probability 
£ £ (0,1/2), and n £ N, we can find - - within 

0^(n/e)5+' 5 + (nlog(n) + log i) 7+l5 ^ randomized bit 

operations — a sequence P = (pi)™=i of consecutive primes 
and a positive integer c such that 

log(c),log ^n^j = 0(nlog(n) + log(s/e)) 

n 

and, with probability > 1 — e, the number p := 1 + c Yl Pi is 

i=i 

prime. 

Theorem 11.71 and its proof are inspired in large part by 
an algorithm of von zur Gathen, Karpinski, and Shpar- 
linski vzGKS96, Algorithm following Fact 4.9]. In par- 
ticular, they used an intricate random sampling technique 
vzGKS96, Thm. 4.10] to show, in our notation, that the 
enumerative analogue of FEASf rime (Z[xi, X2}) is #P-hard 

[vzGKS96l Thm. 4.11]. Note in particular that neither of 
Theorem 4.10 of vzGRS96) or Theorem 11.71 above implies 
the other. 

Our harder upper bound results (Assertions (2) and (3) of 
Theorem ll.4[l will follow from an arithmetic analogue of toric 
deformations. Here, this simply means that we find ways 
to reduce problems involving general / £ Z[xi] to similar 
problems involving binomials. As a warm-up, let us recall 
that the convex hull of any subset SCI 2 is the smallest 
convex set containing S. Also, an edge of a polygon PcR 2 
is called lower iff it has an inner normal with positive last 
coordinate, and the lower hull of P is simply the union of 
all its lower edges. 

Lemma 1.8. (See, e.g., \RobO(A Ch. 6, sec. 1.6].) Given 
any polynomial f{x\) :=5^fc=i c i x V £2[iJ, we define its p- 
adic Newton polygon, Newt p (/), to be the convex hull of 
the points {(ai,ovd p Ci) \ i £ {1, . . . , m}}. Then the number of 
roots of f in C p with valuation v, counting multiplicities, is 
exactly the horizontal length of the lower face o/Newt p (/) 
with inner normal (v, 1). ■ 

Example 1.9. For the polynomial 
f(xi) := 243a; 6 - 3646a; 5 + 18240a; 4 - 35310a; 3 + 29305a; 2 - 
8868a; + 36, the polygon Newta(/) can easily be verified to 
resemble the following illustration: 




Note in particular that there are exactly 3 lower edges, and 
their respective horizontal lengths and inner normals are 2, 
3, 1, and (1, 1), (0, 1), and (—5, 1). Lemma \l.8\ then tells us 
that f has exactly 6 roots in C3; 2 with 3-adic valuation 1, 
3 with 3-adic valuation 0, and 1 with 3-adic valuation —5. 
Indeed, one can check that the roots of f are exactly 6, 1, 
and 2^7, with respective multiplicities 2, 3, and 1. o 



The binomial associated to summing the terms of / cor- 
responding to the vertices of a lower edge of Newt p (/) con- 
taining no other point of the form (asi,ord p Ci) in its interior 
is called a lower binomial. 

Lemma 1.10. Suppose f(xi) =c\ + C2X^ 2 + c^x® 3 £ Z[x], 
the points {(0, ord p (ci)), (02, ord p (c2)), (03, ord p (c3))} are 
non-collinear, and p is a prime not dividing 02, a^, or 
a.3 — 02- Then the number of roots of f in Q p is exactly 
the number of roots of the p-adic lower binomials of f in 
Q P . ■ 

Our last lemma follows easily (taking direct limits) from a 
more general result ( |AI09I Thm. 4.5]) relating the number 
of roots of / with the number of roots of its lower binomials 
over Z/p N 7> for N sufficiently large. 

Our main results are proved in Section O after the devel- 
opment of some additional theory below. 

2. BACKGROUND AND ANCILLARY 
RESULTS 

Our lower bounds will follow from a common chain of 
reductions, so we will begin by reviewing the fundamental 
problem from which we reduce. We then show how to effi- 
ciently construct random primes p such that p — 1 has many 
prime factors in Section \2. 21 and conclude with some quan- 
titative results for transferring complexity results over C to 
Q p in Section [231 

2.1 Roots of Unity and NP-Completeness 

Recall that any Boolean expression of one of the following 
forms: 

(V)yiVyjVVk, -'ViVViVVk, -'Vi^-'Vi^Vk, -^yiW^yjW^y k , 

with i,j,k& [3n], 
is a 3CNFSAT clause. Let us first refine slightly Plaisted's 
elegant reduction from 3CNFSAT to feasibility testing for uni- 
variate polynomial systems over the complex numbers |Pla84l 
Sec. 3, pp. 127-129]. 

Definition 2.1. Letting P := (pi,...,p n ) denote any 
strictly increasing sequence of primes, let us inductively de- 
fine a semigroup homomorphism Vp — the Plaisted mor- 
phism with respect to P — from certain Boolean expres- 
sions in the variables yi, . . . ,y n to Z[xi], as follows[j (0) 
D P :=U: =1 Pi, (1)V P (Q):=1, (2) V P { Vi ) :=x»*'" - I, (3) 
Vp{-iB) := (x 1 p — l)/Vp(B), for any Boolean expression 
B for which Vp{B) has already been defined, (4) Vp(B\ V 
B2) '■= \cm(Vp(B\), Vp(B2)), for any Boolean expressions 
Bi and B2 for which Vp(Bi) and Vp(B2) have already been 
defined, o 

Lemma 2.2. \Pla84\ Sec. 3, pp. 127-129] Suppose P = 
(pi)k=i is an increasing sequence of primes with log(pfe) = 
0(fc 7 ) for some constant 7. Then, for all n £ N and any 
clause C of the form Cv>), we have size(7 ? p(C)) polynomial in 
n. In particular, Vp can be evaluated at any such C in time 
polynomial in n. Furthermore, if K is any field possessing 
Dp distinct Dp— roots of unity, then a 3CNFSAT instance 
B(y) := Ci(y)A- ■ - ACfc(y) has a satisfying assignment iff the 
univariate polynomial system Fp '■= (Vp(Ci), . . . ,Vp(Ck)) 
has a root (^£K satisfying C, Dp — 1. ■ 

3 Throughout this paper, for Boolean expressions, we will 
always identify with "False" and 1 with "True". 



Plaisted actually proved the special case K = C of the above 
lemma, in slightly different language, in [Pla84] . However, 
his proof extends verbatim to the more general family of 
fields detailed above. 

2.2 Randomization to Avoid Riemann 
Hypotheses 

The result below allows us to prove Theorem I f . 71 and fur- 
ther tailor Plaisted's clever reduction to our purposes. We 
let n(x) the number of primes < x, and let -k(x; M, 1) denote 
the number of primes <x that are congruent to 1 mod M. 



AGP Theorem, (very special case of \AGP94\ Thm. 2.1, 
pg. 712]) There exist xo >0 and an f eN such that for each 
x > xo, there is a subset £(x) C N of finite cardinality t 
with the following property: If M G N satisfies M < x 2 ^ 5 and 
a KM for all a€£{x) then tt(x; M, 1) > 



For those familiar with [AGP94I Thm. 2.1, pg. 712], the 
result above follows immediately upon specializing the pa- 
rameters there as follows: 

{A,e,5,y , a) = (49/20, 1/2, 2/245, x, 1) 
(see also |vzGKS96l Fact 4.9]). 

The AGP Theorem enables us to construct random primes 
from certain arithmetic progressions with high probability. 
An additional ingredient that will prove useful is the famous 
recent AKS algorithm for deterministic polynomial-time 
primality checking |AKS02j . Consider now the following al- 
gorithm. 

Algorithm 2.3. 
Input: A constant 5>0, a failure probability e G (0,1/2) , a 
positive integer n, and the constants xq and £ from the AGP 
Theorem. 

Output: An increasing sequence P= (pj)™ =1 of primes such 
that logp = 0(nlog(n) + log(l/£)) and, with probability 1 — s , 
p:=l + cf|™ =1 pi is prime. In particular, the output always 
gives a true declaration as to the primality of p. 

Description: 

0. Let L:= \2fe\l and compute thefirstnL primespi, . . . , 
PnL in increasing order. 

jn 

1. Define (but do not compute) Mj := fl Pk for 

fc=0_l)n+l 

any j G N. Then compute Ml, Mi for a uniformly 
random iG [L], and x :=max |a;o, 17, 1 + M^ 2 j . 

2. Compute K~\(x -V) j Mi\ and J:= \2 log(2/e) logs] . 

3. Pick uniformly random c G [K] until one either has 
p := 1 + cMi prime, or one has J such numbers that 
are each composite (using primality checks via the AKS 
algorithm along the way). 

4- If a prime p was found then output 

"1 + c rij=(i_i)n+i Pi i s a P r i me "that works!" 
and stop. Otherwise, stop and output 
"I have failed to find a suitable prime. Please 
forgive me . " o 

Remark 2.4. In our algorithm above, it suffices to find 
integer approximations to the underlying logarithms and square- 
roots. In particular, we restrict to algorithms that can com- 
pute the log 2 C most significant bits of log C, and the | log 2 C 
most significant bits of \f~C, using 

0((log C) (log log C) log log log C) 



bit operations. Arithmetic-Geometric Mean Iteration and 
(suitably tailored) Newton Iteration are algorithms that re- 
spectively satisfy our requirements (see, e.g., \Ber03l for a 
detailed description), o 

Proof of Theorem ll.7t It clearly suffices to prove that 
Algorithm [2]3] is correct, has a success probability that is at 
least 1 — e, and works within 

°((j)~ 2+S + (nlog(n) + log(l/ e )) 7 +*) 
randomized bit operations, for any S > 0. These assertions 
are proved directly below. ■ 

Proving Correctness and the Success Probability 
Bound for Algorithm l2.3t First observe that Mi, . . . , Ml 
are relatively prime. So at most I of the Mi will be di- 
visible by elements of £(x). Note also that K > 1 and 
1 + cMi < 1 + KMi <1 + ((x - i)/Mi)Mi = x for all i G [L\ 
and cG [K]. 

Since x > x and x 2/5 > (x- 1) 2/5 > (m* /2 ) ^ = Mi for all 

i G [L], the AGP Theorem implies that with probability > 
1 — | (since «G [|~2/e]£] is uniformly random), the arithmetic 



progression {1+Mi, . . . , 1 + KMi} contains at least 
jfei primes. In which case, the proportion of numbers in 



2ip(Mi) 



> 



{1 + Mi, . . . , 1 + KMi} that are prime is 2KM - 2 +2km- 
x/1 2 ° x sx = since n(x) > x/logx for all x > 17 [BS96I 

Thm. 8.8.1, pg. 233]. So let us now assume that i is fixed 
and Mi is not divisible by any element of £(x). 

Recalling the inequality (l — j) ct <e~ c (valid for all c>0 
and t>l), we then see that the AGP Theorem implies that 
the probability of not finding a prime of the form p= 1 + cMi 

after picking J uniformly random cG [K] is ^1 — 2 le ^ g - j < 

\ 2 log(2/e") log x 

1-TT— ) < e -l°s(2/=) = £ 

2 log xl — 2 

In summary, with probability > 1— | — 1 = 1— e, Algorithm 
12.31 picks an i with Mi not divisible by any element of £(x) 
and a c such that p:—l + cMi is prime. In particular, we 
clearly have that logp = 0(log(l + KMi)) = 0(n\og(n) + 
log( S /e)). ■ 

(Complexity Analysis of Algorithm 12 .3[ ): Let L' \ — nL 

and, for the remainder of our proof, let pi denote the i— 
prime. Since L' > 6, p L > < L'(log(L') + log log L') by [BS961 
Thm. 8.8.4, pg. 233]. Recall that the primes in [C] can be 
listed simply by deleting all multiples of 2 in [£] , then delet- 
ing all multiples of 3 in [C], and so on until one reaches 
multiples of [v^CJ • (This is the classic sieve of Eratos- 
thenes.) Recall also that one can multiply an integer in [p] 
and an integer [v] within 0((log /i) (log log v) (log log log v) + 
(log v) (log log fi) log log log fi) bit operations (see, e.g., BS96 
Table 3.1, pg. 43]). So let us define the function A(a) := 
(log log a) log log log a. 

Step 0: By our preceding observations, it is easily checked 
that Step takes 0(L' 3/2 log 3 L') bit operations. 
Step 1: This step consists of n— 1 multiplications of primes 
with O(logL') bits (resulting in Ml, which has 0(n log L') 
bits), multiplication of a small power of Ml by a square 
root of Ml, division by an integer with 0(n log L') bits, 
a constant number of additions of integers of comparable 
size, and the generation of 0(log L) random bits. Employing 
Remark 12.41 along the way, we thus arrive routinely at an 
estimate of 



0(n 2 (logL')A(L') + log(l/e)A(l/ £ ))) 
for the total number of bit operations needed for Step 1. 
Step 2: Similar to our analysis of Step 1, we see that Step 
2 has bit complexity 

0((n log(L')+log(l/e))A(n log L'))- 
Step 3: This is our most costly step: Here, we require 

0(log if) = 0(n log(L') + log(l/e)) 
random bits and J= 0(log x) — Oin log(L') + log(l/e)) pri- 
mality tests on integers with 0(log(l + cMi)) — 0(n\og(L')-\- 
log(l/e)) bits. By an improved version of the AKS primality 
testing algorithm |AKS02I [LP05] (which takes 0(N 6+S ) bit 
operations to test an TV bit integer for primality), Step 3 can 
then clearly be done within 

0((nlog(L') + log(l/£)) 7+ *) 
bit operations, and the generation of 0(n log(L') +log(l/e)) 
random bits. 

Step 4: This step clearly takes time on the order of the 
number of output bits, which is just 0(nlog(n) + log(l/e)) 
as already observed earlier. 

Conclusion: We thus see that Step and Step 3 dominate 
the complexity of our algorithm, and we are left with an 
overall randomized complexity bound of 

o(L' 3 / 2 log 3 (L') + (nlog(L') + log(l/e)) 7+4 ' 

= 0((f ) 3/2 log 3 (n/ £ ) + (nlog(n) +log(l/ £ )) 7+ ^ 

= C>((f)* +5 + (nlog(n) + log(l/ £ )) 7 + 5 ) 
randomized bit operations. ■ 

2.3 Transferring from Complex Numbers to 
p-adics 

Proposition 2.5. Given any fi,...,fk € Z[xi] with max- 
imum coefficient absolute value H, let di~degfi and 

f(xi) := x?Mxi)fi(l/xi) + ■■■+ z?*A(zi)A(l/si). 
Then /i = • ■ • = fu — has a root on the complex unit circle 
iff f has a root on the complex unit circle. In particular, if 
fi £ J r i^ i and /j,i<m for all i, then / £ J-"i, M for some /x with 
fj,< ((m— l)m + and f has maximum coefficient bit-size 
0(\og(kmH)). ■ 



that 
with 



Proposition 12.51 follows easily upon observing 
fi(xi)fi(l/xi) = \fi(xi)\ 2 for all i £ [k] and any xi £ C 

M = i. 



Lemma 2.6. (See, e.g., \GKZ9j\ Ch. 12, Sec. 1, pp. 397-402}.) 

Suppose f(xi)=ao + ■ ■ ■ + a d xf and g(xi)=bo + ■ ■ ■ + bd>xf 
are polynomials with indeterminate coefficients. Define their 
Sylvester matrix to be the (d + d') x (d + d') matrix 



f (resp. g) has exactly m (resp. m' ) monomial terms, then 
\^[d,d')(f, 9) I < m d ' /2 m' d/2 H d+d ' . M 

The last part of Lemma [2 . 6 1 follows easily from Hadamard's 
Inequality (see, e.g., |Mig82| Thm. 1, pg. 259]). 

Lemma 2.7. Suppose Z)£N and /£Z[xi]\{0} has degree 
d, exactly m monomial terms, and maximum coefficient ab- 
solute value H. Also let p be any prime congruent to 1 mod 
D. Then f vanishes at a complex D— root of unity / 
vanishes at a D— root of unity in Q p . ■ 

Remark 2.8. Note that x\ +xi + 1 vanishes at a 3— root 
of unity in C, but has no roots at all in F5 or Q5. Hence 
our congruence assumption on p in Lemma\2. 7| o 



Proof of Lemma I2.7t First note that by our assumption 
on p, Q p has D distinct D— roots of unity: This follows eas- 
ily from Hensel's Lemma (cf. the Appendix) and F p having 
D distinct D— roots of unity. Since Z Q p and Q p con- 
tains all D— roots of unity by construction, the equivalence 
then follows directly from Lemma [2.61 ■ 

2.4 A Remark on Natural Density 

Let us now introduce the .A-discriminant and clarify how 
often our p-adic speed-ups hold for inputs with bounded 
coefficients. 



Definition 2.9. Write any /£C[a;j] as f(xi) 
with < ai < ■ ■ ■ < dm. Letting A = {ai, . . 



am.}, and 

following the notation of Lemma \2. 7[ we then define T>A(f) 
( 

Sin) 



to be 7?-( a 



2) 



\ 



to be the ^4-discriminant of f (see also \GKZ9J\ Ch. 12, 
pp. 403-408]). Finally, if a 7^ for all i, then we call 
Supp(/) :={ai, . . . ,a m } the support off. o 

Corollary 2.10. For any subset ^CNU {0} of cardi- 
nality m, letXA denote the family of pairs (f,p)£Z[xi] x P 
with f(x) = X^fci Ct^i* an d %a denote the subset of 
Ta consisting of those pairs (/, p) with p /fO^(/). Also 
let Ia(FI) (resp. I A (H)) denote those pairs (/, p) in Ta 
(resp. X*a) where \a\ < H for all i £ [m] and p < H . Then 

#Z*a(H) > (1 _ (2d-l)m \ (■, 



d log 2 (dmH) 
H 



Our corollary above follows easily from our proof of Asser- 
tion (3) of Theorem l 1.41 via an application of Lemma r2.6l and 
the Schwartz-Zippel Lemma [Sch80| . and is not used in any 
of our proofs. 



S(d,d'){f,g)--= 



a ■ 


ad 


■ 


■ " 


■ 


■ 


a a ■ 


■ a d 


60 ■ 


■ b d , 


■ 


■ 


■ 


■ 


60 ■ 


■ b d ,_ 



- d' rows 



■ d rows 



and their Sylvester resultant to be ft-y^n (/,<?) :=det5(d jt j<)(/,g). 
Then, assuming f,g£K[xi] for some field K and aabd' 7^0, 
we have that f — g = has a root in the algebraic closure of 
K iff lZ(d,d')(f, 9) — 0. Finally, if we assume further that f 
and g have complex coefficients of absolute value < H , and 



3. THE PROOF OF THEOREM 1.4 

(Assertion (1): FEASQ primM (J'i, m X P)€P for m < 2): 

First note that the case m < 1 is trivial: such a univari- 
ate m-nomial has no roots in Q p iff it is a nonzero constant. 
So let us now assume m = 2. 

Next, we can easily reduce to the special case f(x) : — x d —a 
with a £ Q, since we can divide any input by a suitable 
monomial term, and arithmetic over Q is doable in polyno- 
mial time. The case a = always results in the root 0, so 
let us also assume a^0. Clearly then, any p-adic root £ 
of x d — ol satisfies cford p £ = ord p Q. Since we can compute 
ordpQ and reductions of integers mod d in polynomial-time 



BS96, Ch. 5], we can then assume that d|ord p a (for other- 
wise, / would have no roots over Q p ). Replacing }{x\) by 
p-ordpajupoidpa/dg.^^ we can assume further that ord p a = 
ord p £ = 0. In particular, if ord p a was initially a nonzero 
multiple of d, then logo > dlog 2 p. So size(/) > d and our 
rescaling at worst doubles size(/). 

Letting k := ord p d, note that f'ix) = dx d_1 and thus 
ord p /'(C) = ord p (d) + (d — l)ord p £ = k. So by Hensel's 
Lemma (cf. the Appendix), it suffices to decide whether 
the mod p reduction of / has a root in (Z/p £ Z)*, for t = 
1 + 2k. Note in particular that size(j/) = 0(log(p)ord p d) = 
0(log(p) log(d)/ logp) = O(logd) which is linear in our no- 
tion of input size. By Lemma 15.21 of the Appendix, we can 
then clearly decide whether x d — a has a root in (Z/p Z)* 
within P (via a single fast exponentiation), provided p g' 
{8,16,32,...}. 

To dispose of the remaining cases p £ {8, 16, 32, . . .}, first 
note that we can replace d by its reduction mod 2 e ~ 2 since 
every element of (Z/2 Z)* has order dividing 2 l ~ 2 , and this 
reduction can certainly be computed in polynomial-time. 
Let us then write d = 2 h d' where 2W and h€{0, . . . ,1 - 3}, 
and compute d" := 1/d' mod 2 e ~ 2 . Clearly then, x d — a 
has a root in (Z/2 £ Z)* iff x 2h - a has a root in (Z/2 i Z)*, 
where a' := a d (since exponentiation by any odd power is 
an automorphism of (Z/2 l Z)*). Note also that a', d' , and 
d" can clearly be computed in polynomial time. 

Since x 2 — a' always has a root in (Z/2 Z)* when h = 0, 
we can then restrict our root search to the cyclic subgroup 



{1,5 2 ,5 4 ,5 6 



J } when h > 1 and a' is a square 



(since there can be no roots when h > 1 and a' is not a 
square). Furthermore, we see that x 2 — a' can have no 
roots in (Z/2 £ Z)* if ord 2 a' is odd. So, by rescaling x, we 
can assume further that ord2a' = 0, and thus that a' is odd. 
Now an odd a' is a square in (Z/2 e Z)* iff a' = 1 mod 8 
BS96, Ex. 38, pg. 192], and this can clearly be checked in 
P. So we can at last decide the existence of a root in Q2 
for x d — a in P: Simply combine fast exponentiation with 



Assertion 3 of Lemma 15.21 again, applied to 1 — a over 



the cyclic group {1, 5 2 , 5 4 , 5 6 



2 }- 



(Assertion (2): FEASQ prlmM (J"i,3 x P) £ P for non-flat 
Newt p (/)): First note that x £ Q p \ Z p •<=>• i£pZ p . Letting 
f*{x) :=x e * f(l/x) denote the reciprocal polynomial of /, 
note that the set of p-adic rational roots of / is simply the 
union of the p-adic integer roots of / and the reciprocals of 
the p-adic integer roots of /* . So we need only show we can 
detect roots in Z p in P. 

As stated, Assertion (2) then follows directly from Lemma 

\LM 

So let us now concentrate on extending polynomiality 
to some of our exceptional inputs: Writing f(x) = c\ + 
C2X a2 + c^x a3 as before, let us consider the special case 
where / £ Ti,3 has a degenerate root in C p and gcd(ci2, 1X3) = 
1. Note that we now allow p to divide any number from 
{a 2 , 03,^3 — 02}. (It is easily checked that the collinearity 
condition fails for such polynomials since their p-adic New- 
ton polygons are line segments.) The {0, 02, a3}-discriminant 
of / then turns out to be A := (a 3 — (22)° 



(-03) 



2 Cg 2 (see, e.g., [GKZ94I Prop. 1.8, pg. 274]). In 



particular, while one can certainly evaluate A with a small 
number of arithmetic operations, the bit-size of A can be 
quite large. However, we can nevertheless efficiently decide 



whether A vanishes for integer Ci via gcd-free bases (see, 
e.g., [BRS09I Sec. 2.4]). Thus, we can at least check whether 
/ has a degenerate root in C p in P. 

Given an / as specified, it is then easily checked that if f £ 



C p is a degenerate root of / then the vector 
must be a right null vector for the matrix 



1 1 1 

a2 a.3 



In 

for 



other words, [ci, C2C 12 , csC" 3 ] is a mutiple of [a,/3,y 
some integers a, /?, 7 with size polynomial in size(/). Via the 
extended Euclidean algorithm BS96J Sec. 4.3], we can find A 
and B (also of size polynomial in size(/)) with Aa2+Ba^ = 1. 



So then we obtain that 

C2C 2 j ^ e 3 c 



— L 2 L 3 f - 
c l 

In other words, / has a rational root, and thus this partic- 
ular class of / always has p-adic rational roots. ■ 



(Assertion (3): FEASq 



prlmu V 



;[li]xP)eNP for most 
inputs): Just as in our reduction from Q p to Z p in the 
beginning of our last proof, it is enough to show that, for 
most /, roots in Z p admit succinct certificates. We can also 
clearly assume that / is not divisible by x\. 

Observe now that the p-adic valuations of all the roots of 
/ in C p can be computed in polynomial-time. This is easily 
seen via two facts: (1) convex hulls of subsets of 1? can be 
computed in polynomial-time (see, e.g., ]Ede87] ), and (2) the 
valuation of any root of f(x) = YliLi c i x<li m a ratio of the 
form ord p^)^° rd p( e j) ] w here (04, ord p (cj)) and (a,j, ord p (cj)) 
are respectively the left and right vertices of a lower edge of 
Newt p (/) (cf. Lemma ll.Sl of the Appendix). Since ord p (ci) < 
log p (ci) < size(ci), note in particular that every root ££C P 
of / satisfies |ord p £| < 2 maxi size(ci) < 2size(/) < 2size p (/). 

Since ord p (Z p ) = NU {0}, we can clearly assume that 
Newt p (/) has an edge with non-positive integral slope, for 
otherwise / would have no roots in Z p . Letting a denote 
the smallest nonzero exponent in /, g(x) := /' (x)/x a ~ 1 , 
and ( 6 Z p any p-adic integer root of /, note then that 
ord p /'(£) — (a — l)ord p (£) + ord p g(("). Note also that 

=ReSa ro ,a ro -ai (/, g) 

so if p )[Da{}) then / and g have no common roots in 
the algebraic closure of F p by Lemma 12.61 In particular, 
p/[D A {f) =► g(0 & mod p; and thus pJfD A (f,g) => 
ord p f'(() — (a — l)ord p (C). Furthermore, by the convex- 
ity of the lower hull of Newt p (/), it is clear that ord p (£) < 

ord c c,;- ord D c n ^ 2 max^ log p | c i 
ax 



< 



So p jp A (f) =► ord p /'(C) < 



2size(/). 

Our fraction of inputs admitting a succinct certificate will 
then correspond precisely to those (/, p) such that p]fD A (f)- 
In particular, let us define E to be the union of all pairs 
(/, p) such that p\T> A (f), as A ranges over all finite subsets 
of N U {0}. It is then easily checked that E is a countable 
union of hypersurfaces. 

Fix i — 4size(/). Clearly then, by Hensel's Lemma, for 
any (f,p) e (Z[xi\ x¥)\E, f has a root £ 6 Z p / 
has a root £o £ Z/p e Z. Since log(p^) = 0(size(/) logp) = 



0(size p (/) ), and since arithmetic in Z/p Z can be done in 
time polynomial in log(p f ) BS96, Ch. 5], we have thus at 
last found our desired certificate: a root £o £ (Z/p £ Z)* of / 
with £ = 4size(/). 

To conclude, the assertion on checking whether trinomial 
inputs lie in E follows immediately from our earlier observa- 
tions on deciding the vanishing of A. In particular, instead 
of applying gcd-free bases, we can instead simply use recur- 



sive squaring and efficient Fp-arithmetic. ■ 

(Assertion (4): FEASQ prlmM (Z[a;i] x P) is NP-hard 
under ZPP-reductions): We will prove a (ZPP) random- 
ized polynomial-time reduction from 3CNFSAT to 
FEASq imos (Z[si] x P), making use of the intermediate in- 
put families {{1[xi]) k \ fcGN} and Z[xi] X {x? - 1 | DGN} 
along the way. 

Toward this end, suppose B(y) := Ci(y) A • • • A Ck(y) is 
any 3CNFSAT instance. The polynomial system (Vp(Ci), . . . , 
Vp(Ck)), for P the first n primes (employing Lemma |2.2[) , 
then clearly yields the implication 

FEAS c ({(Z[:n]) fc | k G N}) G P =>• P = NP. Composing 
this reduction with Proposition 12.51 we then immediately 
obtain the implication FEAS c (Z[xi] x {xf - 1 | D G N}) G 
P I 1 \P. 

At this point, we need only find a means of transferring 
from C to Q p . This we do by preceding our reductions above 
by a judicious (possibly new) choice of P. In particular, by 
applying Theorem 11.71 with e — 1/3 (cf . Lemma 12. 7|) we im- 
mediately obtain the implication 
FEAS Qprimoa ((Z[x-i] X {x? - 1 | D G N}) x P) G ZPP 
NPCZPP. 

To conclude, observe that any root (x, y) G Qp \ {(0, 0)} of 
the quadratic form x 2 — py 2 must satisfy 
2ordpX = 1 + 2ord p j/ — an impossibility. Thus the only 
p-adic rational root of x 2 —py 2 is (0, 0) and we easily obtain a 
polynomial-time reduction from 

FEASQ primos ((Z[si] x {x? - 1 | D G N}) x P) to 
FEASq imos (Z[xi] x P): simply map any instance 
(f(xi),Xi — l,p) of the former problem to 
{f(xi) 2 — (xi — l) 2 p,p). So we are done. ■ 

(Assertion (5): FEASQ primes (Z[a:i] X P) is NP-hard, 
assuming Wagstaff's Conjecture): If we also have the 
truth of the Wagstaff Conjecture then we simply repeat 
our last proof, replacing our AGP Theorem-based algorithm 
with a simple brute-force search. This maintains polyno- 
mial complexity, but with the added advantage of completely 
avoiding randomization. ■ 
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exponential in the input size. 
The classical Hensel's Lemma can be phrased as follows. 
Lemma 5.1. JRob OO, Pg. 48] Suppose /eZ p [ii] and Co£ 



Z p satisfies /(Co) = 
there is a root C £ 



(mod p l ) and ord p /'(Co) < 

I— 



p of f with C = Co (mod 
ord p /'(Co). ■ 



Then 
>/'Koh 



and ord p /'(C) : 

The final tool we will need is a standard lemma on bi- 
nomial equations over certain finite groups. Recall that for 
any ring R, we denote its unit group by _R*. 

Lemma 5.2. (See, e.g., \BS96\ Thm. 5.7.2 & Thm. 5.6.2, 
pg. 109]) Given any cyclic group G, a£G, and an integer d, 
the following 3 conditions are equivalent: 

1. the equation x d — a has a solution a£G. 

2. the order of a divides 



,#G/ gcd(d,#G). 



gcd(d,#G) ■ 



Also, Fg is cyclic for any prime power q, and (JLjp l lA* is 
cyclic for any (p,£) withp an odd prime or£<2. Finally, for 



£>3, (Z/2*Z)* = {±l,±5,±5^±5 d 



.±5" 



mod 2*}. 



4 Note that the underlying polynomial depends only on the 
problem in question (e.g., matrix inversion, shortest path 



finding, primality detection) 
of the problem. 



and not the particular instance 



